Back

Establish, implement, and maintain cybersecurity roles and responsibilities.


CONTROL ID
13201
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and assign workforce roles and responsibilities., CC ID: 13267

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The responsible officer(s) or executive officer(s) responsible for the overall management and supervision of the internet trading system should define a cybersecurity risk management framework (including but not limited to policies and procedures), and set out key roles and responsibilities. These r… (3.1. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The major role of top management involves implementing the Board approved information security policy, establishing necessary organizational processes for information security and providing necessary resources for successful information security. It is essential that senior management establish an e… (Boards of Directors/Senior Management ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authorities, the single points of contact, and the CSIRTs under this Directive, as well as coordinati… (Article 7 1(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • the tasks and responsibilities of the cyber crisis management authorities; (Article 9 4(b), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Each Member State shall designate or establish one or more CSIRTs. The CSIRTs may be designated or established within a competent authority. The CSIRTs shall comply with the requirements set out in Article 11(1), shall cover at least the sectors, subsectors and types of entity referred to in Annexes… (Article 10 1., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Each Member State shall designate or establish one or more competent authorities responsible for cybersecurity and for the supervisory tasks referred to in Chapter VII (competent authorities). (Article 8 1., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity. (§ 69(1), UK Data Protection Act 2018 Chapter 12)
  • The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size. (§ 69(3), UK Data Protection Act 2018 Chapter 12)
  • informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person's obligations under this Part, (§ 71(1)(a), UK Data Protection Act 2018 Chapter 12)
  • conducting audits required under those policies. (§ 71(2)(d), UK Data Protection Act 2018 Chapter 12)
  • training staff involved in processing operations, and (§ 71(2)(c), UK Data Protection Act 2018 Chapter 12)
  • raising awareness of those policies, (§ 71(2)(b), UK Data Protection Act 2018 Chapter 12)
  • assigning responsibilities under those policies, (§ 71(2)(a), UK Data Protection Act 2018 Chapter 12)
  • providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section, (§ 71(1)(b), UK Data Protection Act 2018 Chapter 12)
  • monitoring compliance by the controller with this Part. (§ 71(1)(f), UK Data Protection Act 2018 Chapter 12)
  • monitoring compliance with policies of the controller in relation to the protection of personal data, and (§ 71(1)(e), UK Data Protection Act 2018 Chapter 12)
  • must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71. (§ 70(3)(c), UK Data Protection Act 2018 Chapter 12)
  • must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71; (§ 70(3)(a), UK Data Protection Act 2018 Chapter 12)
  • The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity. (§ 69(1), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size. (§ 69(3), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person's obligations under this Part, (§ 71(1)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • conducting audits required under those policies. (§ 71(2)(d), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • training staff involved in processing operations, and (§ 71(2)(c), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • raising awareness of those policies, (§ 71(2)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • assigning responsibilities under those policies, (§ 71(2)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section, (§ 71(1)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • monitoring compliance by the controller with this Part. (§ 71(1)(f), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • monitoring compliance with policies of the controller in relation to the protection of personal data, and (§ 71(1)(e), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71. (§ 70(3)(c), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71; (§ 70(3)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Where the organization acts in both roles (e.g. a PII controller and a PII processor), separate roles shall be determined, each of which is the subject of a separate set of controls. (§ 5.2.1 ¶ 4, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization shall determine its role as a PII controller (including as a joint PII controller) and/or a PII processor. (§ 5.2.1 ¶ 2, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners. (GV.RR-1.1, CRI Profile, v1.2)
  • The individuals who fulfill the organization's physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities. (PR.AT-5.1, CRI Profile, v1.2)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (Business Environment (DM.BE), CRI Profile, v1.2)
  • The organization has designated appropriate roles and responsibilities, including an individual responsible for cybersecurity for the organization. (Roles and Responsibilities (GV.RR), CRI Profile, v1.2)
  • Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners. (GV.RR-1, CRI Profile, v1.2)
  • Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. (ID.AM-6, CRI Profile, v1.2)
  • Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities. (ID.AM-6.1, CRI Profile, v1.2)
  • The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners. (GV.RR-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities. (ID.AM-6.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The individuals who fulfill the organization's physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities. (PR.AT-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reading documents about the service organization's security awareness and training programs, communication of code of conduct, employee handbooks, information security policies, incident notification procedures, and other available documentation to understand the service organization's processes for… (¶ 3.59 Bullet 8, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established (ID.AM-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners (ID.GV-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established (ID.AM-6, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Review and apply organizational policies related to or influencing the cyber workforce. (T0388, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Integrate cyber planning/targeting efforts with other organizations. (T0732, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review and apply organizational policies related to or influencing the cyber workforce. (T0388, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Integrate cyber planning/targeting efforts with other organizations. (T0732, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (Roles, Responsibilities, and Authorities (GV.RR), The NIST Cybersecurity Framework, v2.0)
  • Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (GV.RR-02, The NIST Cybersecurity Framework, v2.0)
  • Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (GV.SC-02, The NIST Cybersecurity Framework, v2.0)
  • The Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where Federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will… (STRATEGIC OBJECTIVE 1.1 Subsection 1 ¶ 1, National Cybersecurity Strategy)
  • carrying out other duties as determined by the controller or set forth in complementary rules. (Art. 41 § 2 IV, Brazilian Law No. 13709, of August 14, 2018)